What Is Claimed Is: 



1 1. A method of producing at least one alert indication 

2 based on a number of events derived from an enterprise 

3 comprising: 

4 providing a plurality of enterprise device outputs, at 

5 least a portion of the outputs having different formats, each 

6 output containing an event relating to an enterprise device; 

7 translating each output into a common format event, 
adding knowledge to the common format event using 

.§3 knowledge base table files to generate a knowledge-containing 

Mi? 

tU common format event; and 

H applying one or more rules from a set of rules to the 

%2 knowledge-containing common format event to generate the alert 

M indication. 

W 

m 

fit 2. The method of claim 1, wherein the common format event 

2 contains at least a generic description of a specific event 

3 occurring as part of each device output. 



1 3. The method of claim 1, wherein generating the 

2 knowledge-containing common format event further comprises 

3 comparing the common format event for each network device to a 

4 number of knowledge base table entries contained in a knowledge 

5 base table, wherein knowledge is added from one or more of the 
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6 



7 



8 



knowledge base table entries when a match between the translated 
common format event and the entry in the knowledge base table is 
made . 



1 4. The method of claim 1, wherein the enterprise devices 

2 are selected from the group consisting of a server, a firewall, a 

3 modem, a work station, a router, a remote machine, an intrusion 

4 detection system, an identification and authentication server, 

5 network monitoring and management systems, network components, 

6 and one or more combinations thereof. 

© 5. The method of claim 1, wherein the translating step 

|8 further comprises: 

iff* 

|fl matching data values in the device output with a signature 

4* specification for each enterprise device, the signature 

p specification containing: 

81 a number of signatures; 

J& a first location identifier for each signature; and 

TV 

8 a first key; 

9 wherein the signature is a listing of names found in 

10 the device output, the first location identifier 

11 determines the method used to locate the name in the 

12 device output, and the first key determines where to 

13 locate the name in the device output; 
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14 identifying a message type from a plurality message types 

15 for each enterprise device based on the device output as part of 

16 the translated common format event; 

17 producing the remainder of the translated common format 

18 event in argument name and argument value pairs using an argument 

19 specification, the argument specification containing; 

20 a listing of arguments; 

21 a field type; 

22 a second location identifier for each argument; and 

23 a second key; 

2|g wherein each argument is a listing of argument names for 



2|£| inclusion in the translated common format event, the field type 

2p specifies the form of an argument value found in the device 
output, the second location identifier determines the location of 

2jP each argument value, and the second key locates the argument 

2p value in the device output to be displayed with the argument 

If I 

3 © name . 



1 6. The method of claim 1, wherein the knowledge-containing 

2 common format event comprises one or more names selected from the 



3 group of a device alert, a generic alert, a threat severity, a 

4 benign explanation, a recommended action, a common 



5 vulnerabilities and exposure code, a conclusion, and a category 

6 code, and a corresponding value for each name. 
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7. The method of claim 1, wherein one or more rules 
determine when or whether the knowledge-containing common format 
event is generated, and final rule-based additions content of 
such generated events . 

8. The method of claim 7, wherein the rule requires that 
the each output occur a number of times over a period of time 
before an alert indication is generated. 

9. The method of claim 1, wherein the output is one of an 
unauthorized login, an unauthorized physical entry, and an 
attempt to bypass a firewall. 

10. The method of claim 3, wherein the translating step 
further comprises: 

matching data values in the device output with a signature 
specification for each enterprise device, the signature 
specification containing: 

a number of signatures; 

a first location identifier for each signature; and 
a first key; 

wherein the signature is a listing of names found in 

the device output, the first location identifier 

determines the method used to locate the name in the 

device output, and the first key determines where to 

locate the name in the device output; 
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14 identifying a message type from a plurality message types 

15 for each enterprise device based on the device output as part of 

16 the translated common format event; 

17 producing the remainder of the translated common format 

18 event in argument name and argument value pairs using an argument 

19 specification, the argument specification containing; 

20 a listing of arguments; 

21 a field type; 

22 a second location identifier; and 

23 a second key; 

2© wherein each argument is a listing of argument names for 

2Jp inclusion in the translated common format event, the field type 

2p specifies the form of an argument value found in the device 

2fR output, the second location identifier determines the location of 

2m each argument value, and the second key locates the argument 

2 || value in the device output to be displayed with the argument 

3 9* f name . 

it 

1 11. The method of claim 10, wherein the rule determines 

2 when or whether the knowledge- containing common format event is 

3 generated. 

1 12. The method of claim 11, wherein the rule requires that 

2 each output occur a number of times over a period of time before 

3 an alert indication is generated. 
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13. The method of claim 1, wherein the alert indication 
includes at least a text message describing the event contained 
in the output of the enterprise device. 

14. The method of claim 13, wherein a threat level is 
included as part of the alert indication. 

15. A system for producing at least one alert indication 
based on a number of events derived from an enterprise 
comprising: 

a plurality of enterprise devices, each device capable of 
producing an output; 

a number of translation files, the translation files 
allowing the output to be translated into a common format event; 

a number of knowledge base table files, matching of the 
common format event with one or more of the knowledge base table 
files adding knowledge from the matched file to generate a 
knowledge-containing common format event; 

a number of rule files, the rule files governing generation 
of the alert indication. 

16. The system of claim 15, wherein the enterprise devices 
are selected from the group consisting of a server, a firewall, a 
modem, a work station, a router, a remote machine, an intrusion 
detection system, an identification and authentication server, 
network monitoring and management systems, network components, 



and one or more combinations thereof, or any generator of data 
streams on the computer network. 

17. The system of claim 15, wherein the knowledge- 
containing common format event comprises one or more names 
selected from the group of a device alert, a generic alert, a 
threat severity, a benign explanation, a recommended action, a 
CVE, a conclusion, and a category code, and a corresponding value 
for each name . 

18. The system of claim 15, wherein the common format event 
comprises a message, and a number of name and value pairs derived 
from the output of the enterprise device. 

19. The system of claim 17, wherein the rule files govern 
at least the frequency of the generation of the alert indication. 

20. The system of claim 19, wherein the common format event 
comprises a message, and a number of name and value pairs derived 
from the output of the enterprise device. 

21. The method of claim 7, wherein the rule adds 
information to the knowledge-containing common format event. 

22. The system of claim 11, wherein the rule adds 
information to the knowledge-containing common format event. 
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